For years, Boston Public Schools kept its email server inside a data center behind a locked door, a key code and a security guard.
When the district — along with the rest of the city — moved to Google Apps for email and collaboration tools this past winter, many BPS stakeholders wondered where their data was, who could see it and whether it was safe.
"When we explained the security that cloud service providers have, compared to what we can do on our own — because of economies of scale and because this is the providers' business — they started to see that the technology provided by these providers can be just as safe," says Mark Racine, CIO of the 128-school district, which serves 57,000 students.
It's a discussion that K–12 communities nationwide have been having as more districts turn to cloud services, and for good reason. A December 2013 report by the Fordham Law School Center on Law and Information Policy found that while more and more districts are taking advantage of the cloud, many of their policies don't adhere to education privacy laws.
In fact, fewer than 7 percent of those studied prohibit service providers from selling or marketing student data.
Plenty of districts have carved out strategies to take advantage of the benefits of the cloud without compromising the privacy of the data they're charged with protecting, however.
"Student privacy is at the front of everything that we do when we're looking at a service or a contract," Racine says.
Weighing the Cloud
Cloud services fall into two categories, explains Bob Moore, founder and chief consultant of RJM Strategies, an education technology consultancy. Some have flexible contracts, allowing districts to negotiate terms, while others, known as "freemium" or "click-wrap" contracts, have set terms of service that users need to click through and accept.
"It's kind of a take-it-or-leave-it situation," says Moore, who also served as project manager in developing the Protecting Privacy in Connected Learning Toolkit, a free resource for educators on cloud privacy that the Consortium for School Networking released in March.
The latter is problematic because districts — especially smaller ones that don't have much leverage to negotiate contracts because they don't spend as much as larger districts — have little, if any, say in cloud practices. Yet the Family Educational Rights and Privacy Act holds districts, not service providers, accountable for protecting the privacy of the data uploaded to those services.
"That's a fundamental flaw in the system," Moore says.
"If you over-legislate, it could create a chilling effect in the market, because vendors worry about breaking a law," Moore explains. "The last thing we want to do is stop innovation in the market and stop innovation in the classroom."
Read the Fine PrintAmid the legalese of a cloud services agreement, one point caught the eye of Dr. Ramiro Zuniga, chief of technology for the 15-school Port Arthur (Texas) Independent School District. In terms of data security, the contract said that the vendor would do what was "most reasonable." It had "nothing about data encryption, nothing about data redundancy," he says.
Zuniga has learned the importance of reading cloud services agreements' fine print, but he doesn't stop there. He makes sure he knows someone on the vendor's staff who can explain the contract and take personal responsibility if there's a problem.
"It's not enough to call an 800 number," Zuniga says. "If I am going to enter into a contract with a vendor, I want a thorough understanding of what services they can or cannot provide — including their safeguards, what type of security measures they have, how many data centers they have and so on."
Racine leans heavily on BPS' legal department when reviewing cloud service contracts. Although the legal process can be time-consuming, "there's great value in taking your time when it comes to information security," he says.
Like BPS and Port Arthur ISD, Wisconsin's Tomah Area School District uses both public and private clouds, but it skews heavily toward keeping data in-house. Historically, that was because Director of Technological Infrastructure Paul P. Potter has a software engineering background, so building applications was less expensive than buying from vendors. But privacy concerns have only reinforced Potter's preference for in-house applications.
When he does turn to a public-cloud service, Potter has a list of questions he asks before signing an agreement. First, he confirms that the district, which operates 11 schools, has the legal right to give the vendor access to the data. Next, he makes sure that the vendor asks only for necessary information, and he pays close attention to the data he uploads. He also obtains written confirmation that the district's data will not be sold.
"You can have all the reassurances in the world," he says. "But once somebody has access to your data, you really have no control over whether it's been copied or who has access to it."
Show Them the WayAlthough Boston's move to Google Apps was praised, it also raised questions, particularly when Google's former practice of scanning personal emails made headlines this past spring. But Racine says such scrutiny is a good thing.
"Phishing scams and social hacking are real threats that we have to deal with daily, so I welcome the fact that people are thinking about the safety of our students' data," he says. "Any system, whether it's in-house or in the cloud — if it's housing sensitive information, it's only as secure as how the users use it."
With a service provider managing the email system, Racine and his staff have more time to educate users on data security. They also educate employees to use services that have been vetted by the IT and legal departments, rather than finding applications on their own.
Port Arthur ISD's instructional technologists train and provide guidelines to users regarding education privacy laws, but they also encourage teachers to use tools they find valuable.
"I think one of the worst things that I can do as the chief of technology is to tell my teachers, 'You may not choose your own product,' " Zuniga says.
It's a delicate balance, and districts need to determine what's right for them, Moore adds. "There's no 'easy' button for this or one simple thing you can do that just fixes this issue," he says. "You have to roll up your sleeves and work with it."
Private ThoughtsDistrict leaders can safeguard the privacy of online data by doing the following:
- Put someone in charge of privacy for the district.
- Have vendors specify where and how data will be stored, backed up and secured; who will have access to it (vendor staff and third parties); and how and when it will be deleted.
- Ensure that contracts prohibit or limit selling or marketing student information without parental consent.
- Require vendors to notify the district if the data is breached.
- Post online the cloud services used by the district, the types of data uploaded to them and the privacy protections for that data.
- Create policies governing the use of cloud services by staff.
- Pay attention not just to the data uploaded to sites, but to the sites' practices as well. For instance, is a tutorial website monitoring students' drills so it can pitch them targeted ads for help in areas in which they are struggling?
25% The percentage of districts that inform parents about their cloud service usage, despite the fact that education privacy laws require parental consent before sharing student information*
SOURCE: "Privacy and Cloud Computing in Public Schools" (Fordham Law School Center on Law and Information Policy, December 2013)
5 details to look for in a cloud services agreement.Melissa Delaney
Paul P. Potter, director of technological infrastructure for the Tomah Area School District in Wisconsin, suggests that K–12 IT leaders insist on the following stipulations before signing a cloud services agreement:
- Content, including backups, will be deleted upon termination of the contract.
- No content will be shared with another party without written consent from the school district.
- All passwords and backups are encrypted.
- Changes to the agreement must be agreed upon by the school district.
- Access to content will be limited to cloud service employees performing required maintenance.